Friendly Fire: how AI coding agents get tricked into running someone else's code during auto-review
A proof-of-concept study published by the AI Now Institute on 9 July 2026 shows: autonomous AI coding agents can be tricked, while in “auto-review” or “auto-mode”, into executing untrusted, hidden code — precisely while they're supposed to be checking a repository for security risks. Tested systems were Anthropic Claude Code (versions 2.1.116, 2.1.196, 2.1.198, 2.1.199) and OpenAI Codex (0.142.4), across the models Claude Sonnet 4.6, Sonnet 5, Opus 4.8 and GPT-5.5. No CVE was assigned — the researchers explicitly classify the finding as an architecture/workflow problem, not a patchable vulnerability.
What does the research show?
The researchers built a repository whose README.md disguises a binary as a “legitimate Go build” and, in the body text, suggests running a security.sh script — ostensibly for verification. When an AI coding agent in auto-mode “reviews” this repository, it follows the instruction hidden in the documentation and executes the payload autonomously, without human approval. Both Claude Code and OpenAI Codex were affected, across multiple tested model versions — the effect isn't an isolated quirk of one model but a pattern tied to the “auto-review”/“auto-mode” functionality itself.
How does the attack work?
At its core this is classic prompt injection applied to a tool with execution rights: an agent reading files to understand a repository treats the contents of README.md as trusted context — including instructions that have no business being there. Combined with the ability to execute commands (say, to build tests or verify build steps), a plausible-sounding instruction like “run security.sh to verify” is enough to launch the payload. The agent does not reliably distinguish between legitimate project documentation and an attacker's embedded commands — the same pattern already documented in the Miasma and “Comment and Control” cases on this blog.
Why it matters
The finding hits a growing use case particularly hard: AI agents routinely tasked with “automatically” checking third-party code or pull requests for security risks — exactly the use case where trust in unknown code matters most. When the review agent itself becomes the execution environment for the code under review, the protective function inverts. For teams that give AI agents production access (deploy keys, CI secrets, cloud credentials), this isn't an abstract risk: a successfully injected agent potentially has the same rights as the agent itself.
What to do now
Immediate steps
- Avoid auto-mode/auto-review for reviewing untrusted third-party code — require manual approval for every command execution.
- Sandbox agents with execution rights as a baseline — even though containment is described as “imperfect” in the study, it reduces blast radius.
- Set up monitoring for agents executing binaries that are only referenced in documentation (README, comments) rather than the actual build process.
- Don't delegate code security reviews with execution rights on production systems to agents as a rule.
Decision block
Act now if: you use AI coding agents in auto-mode against unknown/external code, especially with access to secrets or production systems. Monitor if: agents run exclusively with manual per-command approval in isolated environments.
Frequently asked questions about Friendly Fire
Does this affect regular coding assistance too, not just security reviews?+
The PoC focuses on the security-review/auto-review use case, but the underlying risk — documentation as an implicit command channel — applies generally wherever an agent with execution rights reads repository content as context.
Is sandboxing enough protection?+
Per the study, only as a supplementary measure, not a sole one — containment is explicitly described as “imperfect”. Manual approval for command execution remains the more robust control.
Are only Claude Code and OpenAI Codex affected?+
Those are the systems concretely tested in the study (multiple versions, multiple models). The underlying pattern — auto-mode plus execution rights plus unvetted documentation as context — is not inherently limited to these two products.
Is this a patchable vulnerability with a CVE?+
No. The researchers explicitly classify the finding as a design/workflow problem — it concerns the combination of automatic file interpretation and execution rights, not a single code defect.
Conclusion
“Friendly Fire” is further evidence that the biggest weakness in many AI agent deployments isn't the model — it's the combination of automatic execution and uncritical trust in external text. For security reviews specifically: anyone deploying AI agents exactly where unknown code needs checking should consistently avoid auto-mode and tie command execution to human approval.
I set up guardrails for your AI coding agents — approval workflows, sandboxing and monitoring included.
Audit of your agent workflows for auto-mode risk, rollout of manual approval for command execution, sandboxing concepts, and monitoring for unusual agent actions.
Platform operations instead of advice on paper: I harden your AI agent pipelines against prompt injection and execution abuse.
About the author
![[Translate to English:] Foto von Kai Ole Hartwig.](/fileadmin/_processed_/e/9/csm_ole-neu_73323ad80d.jpeg)
Kai Ole Hartwig
Programming since 2002 – self-taught, set up my own business with KO-Web in 2012. Over 100 projects, with a focus on security, performance, automation and quality. Today freelance: DevSecOps consulting, training and software development.